Trellix · Capability

Trellix EDR API — Threats

Trellix EDR API — Threats. 2 operations. Lead operation: List detected threats. Self-contained Naftiko capability covering one Trellix business surface.

Run with Naftiko TrellixThreats

What You Can Do

GET
Listthreats — List detected threats
/v1/edr/v2/threats
GET
Getthreat — Get threat details
/v1/edr/v2/threats/{threatid}

MCP Tools

list-detected-threats

List detected threats

read-only idempotent
get-threat-details

Get threat details

read-only idempotent

Capability Spec

edr-threats.yaml Raw ↑ 
naftiko: 1.0.0-alpha2
info:
  label: Trellix EDR API — Threats
  description: 'Trellix EDR API — Threats. 2 operations. Lead operation: List detected threats. Self-contained Naftiko capability
    covering one Trellix business surface.'
  tags:
  - Trellix
  - Threats
  created: '2026-05-19'
  modified: '2026-05-19'
binds:
- namespace: env
  keys:
    TRELLIX_API_KEY: TRELLIX_API_KEY
capability:
  consumes:
  - type: http
    namespace: edr-threats
    baseUri: https://api.manage.trellix.com
    description: Trellix EDR API — Threats business capability. Self-contained, no shared references.
    resources:
    - name: edr-v2-threats
      path: /edr/v2/threats
      operations:
      - name: listthreats
        method: GET
        description: List detected threats
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: since
          in: query
          type: string
          description: Return threats detected after this ISO 8601 timestamp.
        - name: severity
          in: query
          type: string
          description: Filter threats by severity level
    - name: edr-v2-threats-threatId
      path: /edr/v2/threats/{threatId}
      operations:
      - name: getthreat
        method: GET
        description: Get threat details
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    authentication:
      type: bearer
      token: '{{env.TRELLIX_API_KEY}}'
  exposes:
  - type: rest
    namespace: edr-threats-rest
    port: 8080
    description: REST adapter for Trellix EDR API — Threats. One Spectral-compliant resource per consumed operation, prefixed
      with /v1.
    resources:
    - path: /v1/edr/v2/threats
      name: edr-v2-threats
      description: REST surface for edr-v2-threats.
      operations:
      - method: GET
        name: listthreats
        description: List detected threats
        call: edr-threats.listthreats
        with:
          since: rest.since
          severity: rest.severity
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/edr/v2/threats/{threatid}
      name: edr-v2-threats-threatid
      description: REST surface for edr-v2-threats-threatId.
      operations:
      - method: GET
        name: getthreat
        description: Get threat details
        call: edr-threats.getthreat
        outputParameters:
        - type: object
          mapping: $.
  - type: mcp
    namespace: edr-threats-mcp
    port: 9090
    transport: http
    description: MCP adapter for Trellix EDR API — Threats. One tool per consumed operation, routed inline through this capability's
      consumes block.
    tools:
    - name: list-detected-threats
      description: List detected threats
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: edr-threats.listthreats
      with:
        since: tools.since
        severity: tools.severity
      outputParameters:
      - type: object
        mapping: $.
    - name: get-threat-details
      description: Get threat details
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: edr-threats.getthreat
      outputParameters:
      - type: object
        mapping: $.